"The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."

I just hope the seriousness of this is taken on board and action is taken to mitigate the effectiveness of this attack (there's a few different approaches to this, one of them being to patch the name servers themselves, but personally I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards - thus effectively checking if the sender matches what the UDP packet describes).

That's actually a solution to what both the NYT article and one of the commenters on the CloudFlare blog identified as the real problem... that the 'net is full of routers that perform none of the sanity checks which would block such spoofed packets, regardless of what daemon we discover to be exploitable next week.

I'm no expert either, but your solution sounds more complicated (and, hence, more CPU intensive on the routers) than what they were proposing. It sounded like they were just proposing plain old source-interface checking so, when the attacker sends a spoofed packet to a DNS server, one of the border routers along the way drops it for arriving on the wrong interface.

Also, I believe it was the CloudFlare commenter who pointed out that this isn't the first attack of this kind. Before spoofed UDP flooding via DNS, there was spoofed SYN flooding.

I'm no expert either, but your solution sounds more complicated (and, hence, more CPU intensive on the routers) than what they were proposing. It sounded like they were just proposing plain old source-interface checking so, when the attacker sends a spoofed packet to a DNS server, one of the border routers along the way drops it for arriving on the wrong interface.

We're talking about the same check. What I was describing was the process behind "plain old source-interface checking".

Also, I believe it was the CloudFlare commenter who pointed out that this isn't the first attack of this kind. Before spoofed UDP flooding via DNS, there was spoofed SYN flooding.

Totally. But AFAIK we've never seen the same degree of amplification (eg every bit being multiplied up to as much as 10bits) before, not even with SYN flooding. Which is where attacking open resolvers come into play.

"We're talking about the same check. What I was describing was the process behind 'plain old source-interface checking'."

It doesn't seem like source interface filtering is a great solution to me because on the internet there's technically no requirement that packets come in from the same interface they'll return out of. In multi-homed setups this can even be explicit. Load balancers might do the same thing. But even in other less exotic cases internet routers can switch paths dynamically as they rerun the shortest path algorithms, I don't know just how frequently this happens, but it's the reason UDP packets can arrive out of order.

So do you agree that source interface filtering could negatively affect legitimate users?

It's a DNS problem, so I feel that a DNS fix should be used instead of modifying our routers. It's much easier to update dns software than a router. My understanding is that many commercial routers achieve their performance in hardware and become underpowered if too many packets get tossed around into the software stack.

that the 'net is full of routers that perform none of the sanity checks which would block such spoofed packets, regardless of what daemon we discover to be exploitable next week.

A) This should be done on the customer-facing equipment, not on border routers.
B) Most ISP's already do this. Really.
C) You don't need to spoof the source to make use of open DNS resolvers. That is the crux of the problem, that this attack is created by "valid" packets.

Depending on which article you read, cloudflare was talking about two types of DDOS attacks.

You are talking about recursive DNS resolvers, which can be done without spoofing. But to be fair, this particular attack WAS based on spoofing the source IP as the victim to get the large DNS responses (rather than the small requests) to eat up their bandwidth. It's how the bandwidth multiplication was achieved.

"The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control."

A non-spoofing recursive DNS attack is possible too, but it's not clear that this could have achieved the amount of bandwidth multiplication they got by spoofing the victim's IP. Let me know if I'm overlooking something.